Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

SiteFinder was a “service” Verisign offered for a few weeks in 2003 in which DNS lookups to any non-existant domain in .com or .net responded with a pointer to an ad page. Techies revolted because it broke a lot of stuff. Verisign attempted to paint opponents of Site Finder as a minority of anti-innovation “technology purists” who still resent the presence of commerce on the Internet. A shorter version of my response ran on CNet’s News.com as a letter to the editor.

Mark McLaughlin’s opinion piece, “Innovation and the Internet,” simply proves that Verisign has completely missed the point. The reason so many people objected to SiteFinder is not the service it provided, nor a rejection of innovation, but that it caused a significant number of non-web applications to fail. Verisign, a company that should know better, had forgotten that the Internet is more than just the web.

There are many applications besides the web which make use of the DNS system, and many of them take actions that depend on whether a domain exists or not. Some of the more obvious cases occur in spam blocking. For instance, mail servers often check to see whether a the sender’s domain exists before accepting email. The DNS wildcard that powered SiteFinder broke this: suddenly, all domains would appear to be valid. A spammer could claim to be sadkjfhdsaf@asdfsadfjsdf.com, and the message would be accepted.

Another issue is DNS-propagated blacklists: at least one (ORBS, if I remember correctly) had folded and allowed its domain name to expire, but many software packages still included it in their default configurations. Since people often install software without updating, they were seeing slightly slower results at first, but the SiteFinder wildcard suddenly caused all queries to return positive, and a number of servers began rejecting all mail. (Something similar happened with Osirusoft a month earlier, but that was intentional on the part of Osirusoft’s former administrator.)

Other people are concerned about the fact that misdirected email, instead of being routed to secondary servers (in the case of a bad configuration) or bounced back by the originating ISP, is being routed through Verisign. Here, it’s a matter of trust: if you trust Verisign to do the right thing and bounce it without looking at it, then you probably have no objection. But many people saw the arbitrary creation of the wildcard in the first place as a breach of trust, casting doubt on their trustworthiness in other areas.

There are ways to resolve the issue of mistyped websites that do not break other applications. Microsoft embedded this functionality in Internet Explorer some time ago. I believe AOL has done the same in their software. While there were probably some objections, in neither case did it cause other applications to stop working.

It’s not about being technology “purists,” stifling innovation, or keeping commercialism off the Internet. It’s about recognizing the fact that the Internet is a collaborative effort, not the private domain of any one company. If Verisign had submitted its idea for review, and given others a chance to point out its flaws and to make adjustments to their own software, this could all have been avoided. As it is, it is clear that Verisign neither thought through all the consequences nor is willing to recognize that there even are consequences. And that – not a desire to “hold the Internet back” – is the reason for the backlash.